The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a broad statute that contains many provisions that affect health plans. Some of the significant rules contained within HIPAA relate to ensuring the privacy and security of personally identifiable information (the Privacy and Security Regulations) and setting uniform standards for the transmission of electronic health care claims data (the Electronic Data Interchange Regulations).
The HIPAA Privacy Regulations (or “Privacy Rule”) govern the use and disclosure of personally identifiable health information. Key items which are governed within the Privacy Rule include:
- Protection of personally identifiable health information (PHI) in any form including oral, paper, and electronic;
- Covered Entities, which include health plans, health care clearinghouses, and health care providers that conduct certain financial and administrative transactions electronically;
- Covered Entities may disclose PHI to certain vendors or service providers, known as Business Associates, if a proper contract protecting the PHI is in place;
- When making a disclosure to another health care provider for purposes of treatment, providers have been given full discretion to determine what records shall be released. When a disclosure is made for purposes of payment, Covered Entities may send only the minimum amount of information needed;
- Covered Entities must comply with certain administrative requirements, such as appointing a Privacy Official, implementing safeguards to protect PHI and training members of the workforce;
- Patients must be given detailed written information explaining their privacy rights and how their information will be used (a Notice of Privacy Practices). Patients have a right to view their own health records and request corrections. Patients also have a right to obtain documentation of any disclosures made of their health care records;
- PHI may not be used or disclosed other than as permitted by the Privacy Rule. The main permitted uses are for treatment of the individual, payment for the individual’s health care and health care operations of the Covered Entity. PHI may also be disclosed to plan sponsors for purposes of plan administrative activities. In some cases, disclosures may be made to an individual’s family and/or friends and for specific public policy purposes;
- Specific authorization must be obtained prior to any disclosure that is not expressly permitted by the Privacy Rule. Employers that sponsor health plans may not gain access to health information for employment-related purposes without the patient’s consent;
- Where a state has passed a law that conflict with these regulations, the law that provides the greater privacy protections will apply.
The HIPAA Security Regulations (or “Security Rule”) impose requirements on Covered Entities with respect to the protection of electronic PHI (“ePHI”). The main purpose of the Security Rule is to ensure the confidentiality, availability and integrity of ePHI. Covered Entities must implement certain safeguards designed to do so. Covered Entities must protect against reasonably anticipated threats to ePHI and uses or disclosures of ePHI that are not permitted under the Privacy Rule. Covered Entities must also protect ePHI by ensuring that their workforces comply with the security requirements. Covered Entities must implement reasonable and appropriate safeguard standards to protect ePHI. The safeguards are intended to be flexible depending on the type, size and sophistication of the Covered Entity.
The Department of Health and Human Services (“HHS”) is responsible for enforcing the Privacy and Security Rules. HHS may also refer cases to the Department of Justice for criminal prosecution. Criminal penalties vary depending on the circumstances of the violation.
The Electronic Data Interchange (“EDI”) regulations set forth standardized electronic transaction guidelines for transmission of health care data.
- Organizations governed by this regulation include health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form. Self-administered group health plans with less than 50 plan participants are exempt. (Note: When employers are acting as a health plan or health care provider, they are required to comply with these standards.)
- Electronic transactions covered under the regulation include health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, and referral certification and authorization.
- The regulations require that all Covered Entities use the same “code sets” and transmit the data in the same format. A code set is any set of codes used for encoding data elements, such as medical diagnosis codes or medical procedure codes.
The regulations are intended to streamline electronic health care transactions by insuring that insurance carriers, third party administrators, and health insurance providers keep and exchange information in a uniform format. While the initial implementation costs are significant, it is expected that use of uniform standards will produce cost savings.
The Agency’s designated Courtney Beaupre, Chief Quality & Compliance Officer, is responsible for the development and implementation of HIPAA policies and procedures necessary for compliance. In addition, the HIPAA Privacy Officer, with the assistance of the HR Department, will be responsible for the administration of creating, posting and distributing the notice of information/privacy practices; processing authorizations for certain kinds of research, marketing, fundraising, etc.; meeting requests for correction/amendment of health records; considering requests for additional protection for, or confidential communications of, particularly sensitive health information; providing information/training to staff who have questions about HIPAA or state privacy protections; and handling any complaints from staff about possible HIPAA violations.
It is against Agency policy to retaliate against an employee for filing a complaint or for cooperating in an investigation of a complaint; such retaliation is also grounds for disciplinary action up to and including termination.
Information resulting from complaints filed under this procedure will be kept confidential by Agency management to the extent possible.
Additionally, if an employee is found to be in violation of this law or Agency policies and procedures designed to comply with HIPPA, appropriate disciplinary action may be taken up to and including termination of employment.
Page 35 / GCI, Inc. Employee Handbook 01/2007 Reviewed/Updated 08/08, 01/09, 02/09 & 07/09